Adversaries may be using known malicious URLs to download malware into the network, bypassing traditional detection mechanisms. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential malware infections before they spread.
IOC Summary
Threat: malware_download Total URLs: 16 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://219.155.231.76:33459/bin.sh | online | malware_download | 2026-05-27 |
hxxp://219.155.231.76:33459/i | online | malware_download | 2026-05-27 |
hxxps://remoto.ddins.click/download?file=mingw32.zip | online | malware_download | 2026-05-27 |
hxxp://swing-nutten-hon-parameter.trycloudflare.com/z.zip | offline | malware_download | 2026-05-27 |
hxxps://acre-ripe-exit-partial.trycloudflare.com/z.zip | offline | malware_download | 2026-05-27 |
hxxps://swing-nutten-hon-parameter.trycloudflare.com/z.zip | offline | malware_download | 2026-05-27 |
hxxp://acre-ripe-exit-partial.trycloudflare.com/z.zip | offline | malware_download | 2026-05-27 |
hxxp://27.37.115.53:46745/i | online | malware_download | 2026-05-27 |
hxxp://115.49.66.242:37194/bin.sh | online | malware_download | 2026-05-27 |
hxxp://175.166.38.101:59038/bin.sh | online | malware_download | 2026-05-27 |
hxxps://get-1o8.pages.dev/script.js | online | malware_download | 2026-05-27 |
hxxps://get-1o8.pages.dev/script.ps1 | online | malware_download | 2026-05-27 |
hxxps://get-1o8.pages.dev/putty.exe | offline | malware_download | 2026-05-27 |
hxxp://42.176.15.48:44670/bin.sh | online | malware_download | 2026-05-27 |
hxxp://42.87.41.126:57206/i | online | malware_download | 2026-05-27 |
hxxp://42.87.41.126:57206/bin.sh | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: malware_download
let malicious_domains = dynamic(["get-1o8.pages.dev", "175.166.38.101", "27.37.115.53", "42.176.15.48", "115.49.66.242", "219.155.231.76", "42.87.41.126", "remoto.ddins.click"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["get-1o8.pages.dev", "175.166.38.101", "27.37.115.53", "42.176.15.48", "115.49.66.242", "219.155.231.76", "42.87.41.126", "remoto.ddins.click"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is downloading a known malicious URL as part of a security test or penetration testing exercise.
Filter/Exclusion: Exclude URLs that match known security testing domains (e.g., testmaliciousurl.com, vulnscan.org) or include a custom tag like security_test in the URL or request headers.
Scenario: A scheduled job is configured to download updates from a legitimate internal repository, which contains a URL flagged by URLhaus.
Filter/Exclusion: Exclude URLs that originate from internal IP ranges or domains (e.g., internal-repo.example.com) or use a custom field like internal_update in the request.
Scenario: A user is accessing a phishing simulation link that is flagged as malicious by URLhaus, but is part of a company’s security awareness training.
Filter/Exclusion: Exclude URLs that include a query parameter like ?training=true or are associated with a known phishing simulation platform (e.g., phishsim.example.com).
Scenario: A legitimate tool like wget or curl is used by a DevOps team to download a dependency from a public repository, which is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs that match known package managers (e.g., npm, pip, maven) or include a custom header like X-DevOps-Request: true.
Scenario: A system is running a scheduled backup job that downloads a backup archive from a cloud storage service, which is flagged due to a false positive in URLhaus.
Filter/Exclusion: Exclude URLs that contain a specific path like /backup/ or are associated with a known cloud storage provider (e.g., s3.amazonaws.com, blob.core.windows.net).